4 files changed, 63 insertions, 0 deletions
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 7e8f8b9ff5..6fc60a1d97 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -137,6 +137,11 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
    spdx_files = []
    file_counter = 1
+    check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
+    if check_compiled_sources:
+        compiled_sources, types = oe.spdx_common.get_compiled_sources(d)
+        bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
    for subdir, dirs, files in os.walk(topdir):
        dirs[:] = [d for d in dirs if d not in ignore_dirs]
        if subdir == str(topdir):
@@ -147,6 +152,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
            filename = str(filepath.relative_to(topdir))
            if not filepath.is_symlink() and filepath.is_file():
+                # Check if file is compiled
+                if check_compiled_sources:
+                     if not oe.spdx_common.is_compiled_source(filename, compiled_sources, types):
+                          continue
                spdx_file = oe.spdx.SPDXFile()
                spdx_file.SPDXID = get_spdxid(file_counter)
                for t in get_types(filepath):
diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
index 713a7fc651..ca0416d1c7 100644
--- a/meta/classes/spdx-common.bbclass
+++ b/meta/classes/spdx-common.bbclass
@@ -26,6 +26,7 @@ SPDX_TOOL_VERSION ??= "1.0"
 SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
 SPDX_INCLUDE_SOURCES ??= "0"
+SPDX_INCLUDE_COMPILED_SOURCES ??= "0"
 SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
 SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
@@ -40,6 +41,8 @@ SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
 python () {
    from oe.cve_check import extend_cve_status
    extend_cve_status(d)
+    if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1":
+        d.setVar("SPDX_INCLUDE_SOURCES", "1")
 }
 def create_spdx_source_deps(d):
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 61d7ba45e3..beeafc2bb7 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -156,6 +156,11 @@ def add_package_files(
        bb.note(f"Skip {topdir}")
        return spdx_files
+    check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
+    if check_compiled_sources:
+        compiled_sources, types = oe.spdx_common.get_compiled_sources(d)
+        bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
    for subdir, dirs, files in os.walk(topdir, onerror=walk_error):
        dirs[:] = [d for d in dirs if d not in ignore_dirs]
        if subdir == str(topdir):
@@ -171,6 +176,11 @@ def add_package_files(
            filename = str(filepath.relative_to(topdir))
            file_purposes = get_purposes(filepath)
+            # Check if file is compiled
+            if check_compiled_sources:
+                if not oe.spdx_common.is_compiled_source(filename, compiled_sources, types):
+                    continue
            spdx_file = objset.new_file(
                get_spdxid(file_counter),
                filename,
diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py
index 4caefc7673..c2dec65563 100644
--- a/meta/lib/oe/spdx_common.py
+++ b/meta/lib/oe/spdx_common.py
@@ -242,3 +242,44 @@ def fetch_data_to_uri(fd, name):
        uri = uri + "@" + fd.revision
    return uri
+def is_compiled_source (filename, compiled_sources, types):
+    """
+    Check if the file is a compiled file
+    """
+    import os
+    # If we don't have compiled source, we assume all are compiled.
+    if not compiled_sources:
+        return True
+    # We return always true if the file type is not in the list of compiled files.
+    # Some files in the source directory are not compiled, for example, Makefiles,
+    # but also python .py file. We need to include them in the SPDX.
+    basename = os.path.basename(filename)
+    ext = basename.partition(".")[2]
+    if ext not in types:
+        return True
+    # Check that the file is in the list
+    return filename in compiled_sources
+def get_compiled_sources(d):
+    """
+    Get list of compiled sources from debug information and normalize the paths
+    """
+    import itertools
+    source_info = oe.package.read_debugsources_info(d)
+    if not source_info:
+        bb.debug(1, "Do not have debugsources.list. Skipping")
+        return [], []
+    # Sources are not split now in SPDX, so we aggregate them
+    sources = set(itertools.chain.from_iterable(source_info.values()))
+    # Check extensions of files
+    types = set()
+    for src in sources:
+        basename = os.path.basename(src)
+        ext = basename.partition(".")[2]
+        if ext not in types and ext:
+            types.add(ext)
+    bb.debug(1, f"Num of sources: {len(sources)} and types: {len(types)} {str(types)}")
+    return sources, types

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 7e8f8b9ff5..6fc60a1d97 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass
@@ -137,6 +137,11 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
137	spdx_files = []	137	spdx_files = []
138		138
139	file_counter = 1	139	file_counter = 1
		140
		141	check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
		142	if check_compiled_sources:
		143	compiled_sources, types = oe.spdx_common.get_compiled_sources(d)
		144	bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
140	for subdir, dirs, files in os.walk(topdir):	145	for subdir, dirs, files in os.walk(topdir):
141	dirs[:] = [d for d in dirs if d not in ignore_dirs]	146	dirs[:] = [d for d in dirs if d not in ignore_dirs]
142	if subdir == str(topdir):	147	if subdir == str(topdir):
@@ -147,6 +152,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
147	filename = str(filepath.relative_to(topdir))	152	filename = str(filepath.relative_to(topdir))
148		153
149	if not filepath.is_symlink() and filepath.is_file():	154	if not filepath.is_symlink() and filepath.is_file():
		155	# Check if file is compiled
		156	if check_compiled_sources:
		157	if not oe.spdx_common.is_compiled_source(filename, compiled_sources, types):
		158	continue
150	spdx_file = oe.spdx.SPDXFile()	159	spdx_file = oe.spdx.SPDXFile()
151	spdx_file.SPDXID = get_spdxid(file_counter)	160	spdx_file.SPDXID = get_spdxid(file_counter)
152	for t in get_types(filepath):	161	for t in get_types(filepath):


diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass index 713a7fc651..ca0416d1c7 100644 --- a/meta/classes/spdx-common.bbclass +++ b/meta/classes/spdx-common.bbclass
@@ -26,6 +26,7 @@ SPDX_TOOL_VERSION ??= "1.0"
26	SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"	26	SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
27		27
28	SPDX_INCLUDE_SOURCES ??= "0"	28	SPDX_INCLUDE_SOURCES ??= "0"
		29	SPDX_INCLUDE_COMPILED_SOURCES ??= "0"
29		30
30	SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"	31	SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
31	SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"	32	SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
@@ -40,6 +41,8 @@ SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
40	python () {	41	python () {
41	from oe.cve_check import extend_cve_status	42	from oe.cve_check import extend_cve_status
42	extend_cve_status(d)	43	extend_cve_status(d)
		44	if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1":
		45	d.setVar("SPDX_INCLUDE_SOURCES", "1")
43	}	46	}
44		47
45	def create_spdx_source_deps(d):	48	def create_spdx_source_deps(d):


diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 61d7ba45e3..beeafc2bb7 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py
@@ -156,6 +156,11 @@ def add_package_files(
156	bb.note(f"Skip {topdir}")	156	bb.note(f"Skip {topdir}")
157	return spdx_files	157	return spdx_files
158		158
		159	check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
		160	if check_compiled_sources:
		161	compiled_sources, types = oe.spdx_common.get_compiled_sources(d)
		162	bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
		163
159	for subdir, dirs, files in os.walk(topdir, onerror=walk_error):	164	for subdir, dirs, files in os.walk(topdir, onerror=walk_error):
160	dirs[:] = [d for d in dirs if d not in ignore_dirs]	165	dirs[:] = [d for d in dirs if d not in ignore_dirs]
161	if subdir == str(topdir):	166	if subdir == str(topdir):
@@ -171,6 +176,11 @@ def add_package_files(
171	filename = str(filepath.relative_to(topdir))	176	filename = str(filepath.relative_to(topdir))
172	file_purposes = get_purposes(filepath)	177	file_purposes = get_purposes(filepath)
173		178
		179	# Check if file is compiled
		180	if check_compiled_sources:
		181	if not oe.spdx_common.is_compiled_source(filename, compiled_sources, types):
		182	continue
		183
174	spdx_file = objset.new_file(	184	spdx_file = objset.new_file(
175	get_spdxid(file_counter),	185	get_spdxid(file_counter),
176	filename,	186	filename,


diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py index 4caefc7673..c2dec65563 100644 --- a/meta/lib/oe/spdx_common.py +++ b/meta/lib/oe/spdx_common.py
@@ -242,3 +242,44 @@ def fetch_data_to_uri(fd, name):
242	uri = uri + "@" + fd.revision	242	uri = uri + "@" + fd.revision
243		243
244	return uri	244	return uri
		245
		246	def is_compiled_source (filename, compiled_sources, types):
		247	"""
		248	Check if the file is a compiled file
		249	"""
		250	import os
		251	# If we don't have compiled source, we assume all are compiled.
		252	if not compiled_sources:
		253	return True
		254
		255	# We return always true if the file type is not in the list of compiled files.
		256	# Some files in the source directory are not compiled, for example, Makefiles,
		257	# but also python .py file. We need to include them in the SPDX.
		258	basename = os.path.basename(filename)
		259	ext = basename.partition(".")[2]
		260	if ext not in types:
		261	return True
		262	# Check that the file is in the list
		263	return filename in compiled_sources
		264
		265	def get_compiled_sources(d):
		266	"""
		267	Get list of compiled sources from debug information and normalize the paths
		268	"""
		269	import itertools
		270	source_info = oe.package.read_debugsources_info(d)
		271	if not source_info:
		272	bb.debug(1, "Do not have debugsources.list. Skipping")
		273	return [], []
		274
		275	# Sources are not split now in SPDX, so we aggregate them
		276	sources = set(itertools.chain.from_iterable(source_info.values()))
		277	# Check extensions of files
		278	types = set()
		279	for src in sources:
		280	basename = os.path.basename(src)
		281	ext = basename.partition(".")[2]
		282	if ext not in types and ext:
		283	types.add(ext)
		284	bb.debug(1, f"Num of sources: {len(sources)} and types: {len(types)} {str(types)}")
		285	return sources, types